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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )E3 Responsive to communication(s) filed on 14 July 2004 . 
2a)K This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) D Claim(s) is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) Q Claim(s) is/are allowed. 

6) E3 Claim(s) 1-13. 17. 18. 20. 21. 23. 24. 28. and 29 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

1 2)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 
a)D All b)Q Some * c)D None of: 

1 D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



Claims 14, 15, 16, 19, 22, and 25-27 have been canceled. 

Claims 1 and 6-12 have been amended to incorporate limitations of canceled claims. 

Response to Arguments 

1 . Applicants arguments filed 7/14/04 have been fully considered but they are not 
persuasive. 

2. In response to applicant's argument that Escamilla does not teach storing IP 
packets that have passed through a gateway. Escamilla teaches: "Network traffic is 
usually obtained (stored) by activating a network adapter in promiscuous mode" (Page 
1 74, Escamilla). Escamilla further teaches for network packet-based IDSs to filter 
through data including Firewall logs (Page 308, Escamilla), and more specifically 
teaches combination gateway/firewall/IDS implementations (Page 194, Escamilla). 

3. Further, the definition of IDS is: "A type of security management system for 
computers and networks that gathers and analyzes information from various areas 
within a computer or a network to identify possibly security breaches, both inside and 
outside the organization. An IDS can detect a wide range of hostile attack signatures, 
generate alarms, and, in some cases, cause routers to terminate communications from 
hostile sources". Microsoft Computer Dictionary. 

4. In response to applicant's arguments that the combined references of Escamilla 
and Cheswick do not teach closing the gateway to malicious IP packets only for a 
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predetermined amount of time. The combination of references teaches blocking 
communication by firewall from an IDS detection. As broadly as stated in the claims, 
the predetermined period of time could constitute an open-ended interval, as there is no 
mention in the claims that the gateway should be reopened after the period has ended. 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claim 1-13, 17, 18, 20, 21 , 23, 24, 28, and 29 rejected under 35 U.S.C. 103(a) as 
being unpatentable over "Intrusion Detection" by Terry Escamilla (hereafter referred to 
as "Intrusion") in view of Cheswick. 

7. As to claim(s) 1,4,17, 20, and 23: 

Intrusion teaches a system for monitoring a network based on IP comprising: 

• Attack detection means / Intrusion Detection 

• Acquiring/Storing IP Packets / Network traffic is usually obtained by. 
"Data Source", Line 2 et seq., Intrusion) 

• Monitoring the stored IP packets / Network packet-based IDSs filter 
308, "Discovery and Detection", Line 4 et seq., Intrusion) 



.. (Page 174, 
... (Page 
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• Processing means... / Processing means is a requisite inherent to all computer 
based systems 

• Effecting a predetermined process / Custom responses can be designated for 
each event of interest (Page 308, "Discovery and Detection", Line 15 et seq., 
Intrusion) 

• Holding an algorithm for detecting / Intrusion Detection code (Page 194, Line 10 
et seq., Intrusion) 

• Generating a report output / IDS prints reports ... (Page 308, "Discovery and 
Detection", Line 21 etseq., Intrusion) 

8. The examiner takes official notice of both the motive and modification necessary 
to reject packets based on the IP packet characteristics detected by the IDS. 

9. Intrusion teaches the use of coupling an intrusion detection system with a firewall 
(Page 194, Line 5 et seq., Intrusion) in a system for monitoring and detecting general 
types of cracker attacks based on their known patterns and characteristics in a network 
based on IP. Intrusion does not explicitly teach the means for rejecting IP packets 
based on the IP header characteristics associated with the well-known specific attacks 
listed in claims. It would have been obvious to a person of ordinary skill in the art at the 
time of invention to reject packets based on the IP packet characteristics detected by 
the IDS. One of ordinary skill in the art would have been motivated to reject packets in 
this manor because rejecting packets based on IP characteristics is well known in the 
art as a method by which packet filtering firewalls provide protection. 
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As to dependent claims 2 and 3: 

Although Intrusion teaches receiving IP packets, it does not explicitly teach receiving all 
IP packets. However, this feature is inherent to all intrusion detection systems and is 
necessary to perform the functions they carry out. 

Receiving only IP packets / As broadly as stated, the invention as disclosed in Intrusion 
implemented in a network based solely on Internet Protocol would receive only IP 
packets. 

As to claim(s) 5: 

10. Intrusion teaches the use of coupling an intrusion detection system with a firewall 
(Page 194, Line 5 et seq., Intrusion) in a system for monitoring and detecting crackers 
in a network based on IP. Intrusion also teaches the classification of network data in 
pattern matching detection including general regular expressions (Page 170, Line 17 et 
seq., Intrusion). Intrusion does not explicitly teach classifying the acquired IP packets 
by source/destination IP. Cheswick teaches the classification of IP packets by 
source/destination IP as a general regular expression packet-filtering rule (Section 3.3, 
Line 5 et seq., Cheswick). It would have been obvious to a person of ordinary skill in 
the art at the time of invention to include the classification by source/destination as a 
general regular expression for use in the coupled IDS/Firewall system. One of ordinary 
skill in the art would have been motivated to include the classification by 
source/destination because such a classification is notoriously well known in the art as a 
packet-filtering rule to prevent many known forms of attacks. 
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As to claim(s)6-12: 

1 1 . The examiner takes official notice of both the motive and modification necessary 
to use the various patterns and characteristics listed in claims 6-12 as a means for 
detecting their associated attacks within the IDS/Firewall combination disclosed in 
Intrusion. 

12. Intrusion teaches the use of coupling an intrusion detection system with a firewall 
(Page 194, Line 5 et seq M Intrusion) in a system for monitoring and detecting general 
types of cracker attacks based on their known patterns and characteristics in a network 
based on IP. Intrusion also discloses a means for detecting attacks known as "syn- 
flood" (Page 267, Line 6 et seq., Intrusion), "Fragmented IP Packets" (Page 268, 
Intrusion), and "Brute force" (Page 172, Line 23 et seq., Intrusion). Intrusion does not 
explicitly teach the patterns and characteristics by which the abovementioned attacks 
are detecting, nor does it teach the other attack methods listed in the claims or their 
associated patterns and characteristics. It would have been obvious to a person of 
ordinary skill in the art at the time of invention to use the various patterns and 
characteristics listed in the claims as a means to detect their well known associated 
attacks. One of ordinary skill in the art would have been motivated to use these various 
patterns and characteristics as a means for detecting their associated attacks because 
attacks are defined by the characteristics they entail, and therefor must be detected in 
this manor. 
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As to claim(s) 18, 21,24: 

13. The examiner takes official notice of both the motive and modification necessary 
to filter packets from the source of the attack for a longer period of time than packets to 
the attack destination. 

14. Intrusion teaches the use of coupling an intrusion detection system with a firewall 
(Page 194, Line 5 et seq., Intrusion) in a system for filtering IP packets associated with 
an attack. Intrusion does not explicitly teach to filter packets from the source of the 
attack for a longer period of time than packets to the attack destination. It would have 
been obvious to a person of ordinary skill in the art at the time of invention to filter 
packets from the source of the attack for a longer period of time than packets to the 
attack destination. One of ordinary skill in the art would have been motivated to filter 
packets from the source of the attack for a longer period of time than packets to the 
attack destination because it is obviously beneficial for the attack destination being 
protected by the network monitoring system to return to packet receiving status 
immediately after the period of time characteristic to a certain type of attack. Similarly, it 
is obviously beneficial to reject packets as long as possible from the source of an attack, 
or until other action can be taken. 

1 5. As to claim(s) 28, it recites concomitance elements of previously rejected claims 
and therefor fail to distinguish over them accordingly. See above for the specifics of the 
rejection. 
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16. As to claim(s) 29, it further recites: 

Further comprising a packet filter / filtering capabilities to received packets (Page 194, 
Line 5 et seq., Intrusion) 



Conclusion 



17. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

18. A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

19. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jonathan R Adams whose telephone number is (703) 
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305-8894. The examiner can normally be reached on Monday - Friday from 10am to 
6pm. 

20. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse, can be reached on (703) 308-4789. The fax phone number 
for the organization where this application or proceeding is assigned is (703) 872-9306 
Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 305-3900. 
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